Companies Likely Running Vulnerable Oracle E-Business Suite

Half of the firms are likely running Oracle E-Business Suite with two security vulnerabilities which would lead to a financial attack and compliance violations.

Companies need to patch a pair of security vulnerabilities found in Oracle's E-Business Suite (EBS). Otherwise, they pose a threat of potential financial fraud and failing to comply with financial regulations, such as Sarbanes-Oxley, according to application-security firm Onapsis. 

Vulnerabilities:

The two flaws i.e. CVE-2020-2586 and CVE-2020-2587are detected as the vulnerability in Oracle's E-Business Suite.

How exploit works?

CVE-2020-2586 & CVE-2020-2587: Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Human Resources. While the vulnerability is in Oracle Human Resources, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Human Resources. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). Since the two issues could have allowed an attacker to execute
code on the server and conduct financial fraud. Therefore, it is vulnerable to remote code execution (RCE).

Affected Versions: Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9.

The vulnerabilities open up the EBS applications and its various modules to an unauthenticated remote exploit, bypassing controls allowing the modification of financial data.

According to Juan Perez-Etchegoyen, chief technology officer at Onapsis, the vulnerable component is installed by default in every Oracle EBS instance and it can't be disabled, it can only be patched by applying the January 2020 critical patch update (CPU). However, only about half of firms have likely applied the critical update and average companies take one to two quarters to update its systems.

It is even more important for those companies who have Internet-facing systems as a way to allow access to their remote workforce because such companies rely on the systems to help manage their now-distributed operations. These applications and the patches have a lot of complexity in how to deploy them, so verifying that the patch is applied right is an important task.

The vulnerability advisory underscores that software flaws in critical business applications, such as enterprise resource planning (ERP) software, should be kept at utmost priority during the updation.

Oracle E-Business Servers are a popular ERP solution, which allows the businesses to track their organizations and use of infrastructure to improve decision-making and reduce costs. The application usually supports the entire business platform, from managing the supply chain to financial management.

The work-from-home trend has resulted in many more instances of Oracle E-Business Server being accessible from the Internet, apparently allowing the remote workers in human resources, engineering, and management the ability to access the server.

 

In November, Onapsis initially revealed a pair of flaws that could allow a similar attack. Dubbed the Payday vulnerabilities, the two issues could have allowed an attacker to execute code on the server and conduct financial fraud with the company's accounting.

 

Similar Vulnerabilities:

Similarly, with the latest vulnerabilities, which Onapsis named "BigDebIT," an attacker could gain access to any functionality of the application, including the financial side of the ERP service, allowing financial attacks to occur.

An attacker can execute and cover up transactions and then intercept the info coming from the bank, Onapsis states in the report. "There would be no reconciling of the transaction and audit would likely miss it as well."

The company also raises the specter that companies failing to apply patches could open themselves up to failure to comply with financial regulations.

Any Oracle EBS customer that did not apply the Critical Patch Update (CPU) from January 2020 and is regulated by Sarbanes-Oxley (SOX) may find deficiencies in Internal Control over Financial Reporting (ICFR), the report states. Onapsis's Perez-Etchegoyen says there are no indications yet that a public exploit for the flaws have been released to date.

Recommendations:

1) It is recommended to customers to apply the Critical Patch Updates from January 2020 without any delay to follow the secure configuration.

2) Companies must check that they are up-to-date with the latest patches that have come across.

3) Customers should install patch update KB4551762 for affected operating systems to be protected from RCE.

4) To Prevent Remote Code Execution:

  • Try to blacklist special chars or function names.
  • Pass any user controlled input inside evaluation functions or callbacks.